Update pnpm to v10.27.0 [SECURITY]

[matticbot]

This PR contains the following updates:

Package	Change	Age	Confidence
pnpm (source)	10.22.0 -> 10.27.0
pnpm (source)	^10.22.0 -> ^10.27.0

---

pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies

CVE-2025-69263 / GHSA-7vhp-vf5g-r2fw

More information

Details

Summary

HTTP tarball dependencies (and git-hosted tarballs) are stored in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed.

Details

When a package depends on an HTTP tarball URL, pnpm's tarball resolver returns only the URL without computing an integrity hash:

resolving/tarball-resolver/src/index.ts:

return {
  resolution: {
    tarball: resolvedUrl,
    // No integrity field
  },
  resolvedVia: 'url',
}

The resulting lockfile entry has no integrity to verify:

remote-dynamic-dependency@http://example.com/pkg.tgz:
  resolution: {tarball: http://example.com/pkg.tgz}
  version: 1.0.0

Since there is no integrity hash, pnpm cannot detect when the server returns different content.

This affects:

• HTTP/HTTPS tarball URLs ("pkg": "https://example.com/pkg.tgz")
• Git shorthand dependencies ("pkg": "github:user/repo")
• Git URLs ("pkg": "git+https://github.com/user/repo")

npm registry packages are not affected as they include integrity hashes from the registry metadata.

PoC

See attached pnpm-bypass-integrity-poc.zip

The POC includes:

• A server that returns different tarball content on each request
• A malicious-package that depends on the HTTP tarball
• A victim project that depends on malicious-package

To run:

cd pnpm-bypass-integrity-poc
./run-poc.sh

The output shows that each install (with pnpm store prune between them) downloads different code despite having a committed lockfile.

Impact

An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. This enables:

• Targeted attacks based on request metadata (IP, headers, timing)
• Evasion of security audits (serve benign code during review, malicious code later)
• Supply chain attacks where the malicious payload changes over time

The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References

• https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw
• https://github.com/pnpm/pnpm

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"

CVE-2025-69264 / GHSA-379q-355j-w6rj

More information

Details

pnpm v10+ Git Dependency Script Execution Bypass

Summary

A security bypass vulnerability in pnpm v10+ allows git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval.

Details

pnpm v10 introduced a security feature to disable dependency lifecycle scripts by default (PR #​8897). This is implemented by setting onlyBuiltDependencies = [] when no build policy is configured:

File: pkg-manager/core/src/install/extendInstallOptions.ts (lines 290-291)

if (opts.neverBuiltDependencies == null && opts.onlyBuiltDependencies == null && opts.onlyBuiltDependenciesFile == null) {
  opts.onlyBuiltDependencies = []
}

This creates an allowlist that blocks all packages from running scripts during the BUILD phase in exec/build-modules/src/index.ts.

However, git-hosted dependencies are processed differently. During the FETCH phase, git packages are prepared using preparePackage():

File: exec/prepare-package/src/index.ts (lines 28-57)

export async function preparePackage (opts: PreparePackageOptions, gitRootDir: string, subDir: string) {
  // ...
  if (opts.ignoreScripts) return { shouldBeBuilt: true, pkgDir }  // Only checks ignoreScripts, not onlyBuiltDependencies

  const execOpts: RunLifecycleHookOptions = {
    // ...
    rawConfig: omit(['ignore-scripts'], opts.rawConfig),  // Explicitly removes ignore-scripts!
  }

  // Runs npm/pnpm install
  await runLifecycleHook(installScriptName, manifest, execOpts)

  // Runs prepare scripts
  for (const scriptName of PREPUBLISH_SCRIPTS) {  // ['prepublish', 'prepack', 'publish']
    await runLifecycleHook(newScriptName, manifest, execOpts)
  }
}

The ignoreScripts option defaults to false and is completely separate from onlyBuiltDependencies. The onlyBuiltDependencies allowlist is never consulted during the fetch phase.

Affected scripts that execute during fetch:

• prepare
• prepublish
• prepack

Attack vectors:

• git+https://github.com/attacker/malicious.git
• github:attacker/malicious
• gitlab:attacker/malicious
• bitbucket:attacker/malicious
• git+ssh://git@github.com/attacker/malicious.git
• git+file:///path/to/local/repo

PoC

Prerequisites:

• pnpm v10.0.0 or later (tested on v10.23.0 and v11.0.0-alpha.1)
• git

Steps to reproduce:

1. Extract the attached poc.zip

2. Run the PoC script:

   cd poc
   chmod +x run-poc.sh
   ./run-poc.sh

3. Verify the marker file was created by the malicious script:

   cat /tmp/pnpm-vuln-poc-marker.txt

Manual reproduction:

1. Create a malicious package with a prepare script:

   {
     "name": "malicious-pkg",
     "version": "1.0.0",
     "scripts": {
       "prepare": "node -e \"require('fs').writeFileSync('/tmp/pwned.txt', 'RCE!')\""
     }
   }

2. Initialize it as a git repo and commit the files

3. Create a victim project that depends on it (just have to make sure it actually git clones and not just downloads a tarball):

   {
     "dependencies": {
       "malicious-pkg": "git+file:///path/to/malicious-pkg"
     }
   }

4. Run pnpm install - the prepare script executes without any warning or approval prompt

Impact

Severity: High

Who is impacted:

• All pnpm v10+ users
• Users who believed they were protected by the v10 "scripts disabled by default" feature
• CI/CD pipelines

Attack scenarios:

1. Supply chain attack: An attacker compromises a dependency, adding to it a malicious git dependency that executes arbitrary code during pnpm install

What an attacker can do:

• Execute arbitrary code with the victim's privileges
• Exfiltrate environment variables, secrets, and credentials
• Modify source code or inject backdoors
• Establish persistence or reverse shells
• Access the filesystem and network

Why this bypasses security expectations:

• pnpm v10 changelog explicitly states "Lifecycle scripts of dependencies are not executed during installation by default"
• Users expect git dependencies to follow the same security model as npm registry packages
• There is no warning that git dependencies are treated differently
• The onlyBuiltDependencies configuration does not affect git dependencies

Severity

• CVSS Score: 8.8 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

• https://github.com/pnpm/pnpm/security/advisories/GHSA-379q-355j-w6rj
• https://github.com/pnpm/pnpm

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

pnpm vulnerable to Command Injection via environment variable substitution

CVE-2025-69262 / GHSA-2phv-j68v-wwqx

More information

Details

Summary

A command injection vulnerability exists in pnpm when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve remote code execution (RCE) in build environments.

Affected Components

• Package: pnpm
• Versions: All versions using @pnpm/config.env-replace and loadToken functionality
• File: pnpm/network/auth-header/src/getAuthHeadersFromConfig.ts - loadToken() function
• File: pnpm/config/config/src/readLocalConfig.ts - .npmrc environment variable substitution

Technical Details

Vulnerability Chain

1. Environment Variable Substitution

   • .npmrc supports ${VAR} syntax
   • Substitution occurs in readLocalConfig()

2. loadToken Execution

   • Uses spawnSync(helperPath, { shell: true })
   • Only validates absolute path existence

3. Attack Flow

.npmrc: registry.npmjs.org/:tokenHelper=${HELPER_PATH}
   ↓
envReplace() → /tmp/evil-helper.sh
   ↓
loadToken() → spawnSync(..., { shell: true })
   ↓
RCE achieved

Code Evidence

pnpm/config/config/src/readLocalConfig.ts:17-18

key = envReplace(key, process.env)
ini[key] = parseField(types, envReplace(val, process.env), key)

pnpm/network/auth-header/src/getAuthHeadersFromConfig.ts:60-71

export function loadToken(helperPath: string, settingName: string): string {
  if (!path.isAbsolute(helperPath) || !fs.existsSync(helperPath)) {
    throw new PnpmError('BAD_TOKEN_HELPER_PATH', ...)
  }
  const spawnResult = spawnSync(helperPath, { shell: true })
  // ...
}

Proof of Concept

Prerequisites

• Private npm registry access
• Control over environment variables
• Ability to place scripts in filesystem

PoC Steps

##### 1. Create malicious helper script
cat > /tmp/evil-helper.sh << 'SCRIPT'

#!/bin/bash
echo "RCE SUCCESS!" > /tmp/rce-log.txt
echo "TOKEN_12345"
SCRIPT
chmod +x /tmp/evil-helper.sh

##### 2. Create .npmrc with environment variable
cat > .npmrc << 'EOF'
registry=https://registry.npmjs.org/
registry.npmjs.org/:tokenHelper=${HELPER_PATH}
EOF

##### 3. Set environment variable (attacker controlled)
export HELPER_PATH=/tmp/evil-helper.sh

##### 4. Trigger pnpm install
pnpm install  # RCE occurs during auth

##### 5. Verify attack
cat /tmp/rce-log.txt

PoC Results

==> Attack successful
==> File created: /tmp/rce-log.txt
==> Arbitrary code execution confirmed

Impact

Severity

• CVSS Score: 7.6 (High)
• CVSS Vector: cvss:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Environments

High Risk:

• CI/CD pipelines (GitHub Actions, GitLab CI)
• Docker build environments
• Kubernetes deployments
• Private registry users

Low Risk:

• Public registry only
• Production runtime (no pnpm execution)
• Static sites

Attack Scenarios

Scenario 1: CI/CD Supply Chain

Repository → Build Trigger → pnpm install → RCE → Production Deploy

Scenario 2: Docker Build

FROM node:20
ARG HELPER_PATH=/tmp/evil
COPY .npmrc .
RUN pnpm install  # RCE

Scenario 3: Kubernetes

Secret Control → Env Variable → .npmrc Substitution → RCE

Mitigation

Temporary Workarounds

Disable tokenHelper:

##### .npmrc
##### registry.npmjs.org/:tokenHelper=${HELPER_PATH}

Use direct tokens:

//registry.npmjs.org/:_authToken=YOUR_TOKEN

Audit environment variables:

• Review CI/CD env vars
• Restrict .npmrc changes
• Monitor build logs

Recommended Fixes

1. Remove shell: true from loadToken
2. Implement helper path allowlist
3. Validate substituted paths
4. Consider sandboxing

Disclosure

• Discovery: 2025-11-02
• PoC: 2025-11-02
• Report: [Pending disclosure decision]

References

• Repository: https://github.com/pnpm/pnpm
• Affected: @pnpm/config.env-replace@^3.0.2
• Similar: CVE-2024-53866, CVE-2023-37478

Credit

Reported by: Jiyong Yang
Contact: sy2n0@​naver.com

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

References

• https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx
• https://github.com/pnpm/pnpm

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

pnpm/pnpm (pnpm)

v10.27.0: pnpm 10.27

Compare Source

Minor Changes

• Adding trustPolicyIgnoreAfter allows you to ignore trust policy checks for packages published more than a specified time ago#​10352.

• Added project registry for global virtual store prune support.

  Projects using the store are now registered via symlinks in {storeDir}/v10/projects/. This enables pnpm store prune to track which packages are still in use by active projects and safely remove unused packages from the global virtual store.

• Semi-breaking. Changed the location of unscoped packages in the virtual global store. They will now be stored under a directory named @ to maintain a uniform 4-level directory depth.

• Added mark-and-sweep garbage collection for global virtual store.

  pnpm store prune now removes unused packages from the global virtual store's links/ directory. The algorithm:

  1. Scans all registered projects for symlinks pointing to the store
  2. Walks transitive dependencies to mark reachable packages
  3. Removes any package directories not marked as reachable

  This includes support for workspace monorepos - all node_modules directories within a project (including those in workspace packages) are scanned.

Patch Changes

• Throw an error if the value of the tokenHelper or <url>:tokenHelper setting contains an environment variable.
• Git dependencies with build scripts should respect the dangerouslyAllowAllBuilds settings #​10376.
• Skip the package manager check when running with --global and a project packageManager is configured, and warn that the check is skipped.
• pnpm store prune should not fail if the dlx cache directory has files, not only directories #​10384
• Fixed a bug (#​9759) where pnpm add would incorrectly modify a catalog entry in pnpm-workspace.yaml to its exact version.

Platinum Sponsors

Gold Sponsors

v10.26.2: pnpm 10.26.2

Compare Source

Patch Changes

• Improve error message when a package version exists but does not meet the minimumReleaseAge constraint. The error now clearly states that the version exists and shows a human-readable time since release (e.g., "released 6 hours ago") #​10307.

• Fix installation of Git dependencies using annotated tags #​10335.

  Previously, pnpm would store the annotated tag object's SHA in the lockfile instead of the actual commit SHA. This caused ERR_PNPM_GIT_CHECKOUT_FAILED errors because the checked-out commit hash didn't match the stored tag object hash.

• Binaries of runtime engines (Node.js, Deno, Bun) are written to node_modules/.bin before lifecycle scripts (install, postinstall, prepare) are executed #​10244.

• Try to avoid making network calls with preferOffline #​10334.

Platinum Sponsors

Gold Sponsors

v10.26.1: pnpm 10.26.1

Compare Source

Patch Changes

• Don't fail on pnpm add, when blockExoticSubdeps is set to true #​10324.
• Always resolve git references to full commits and ensure HEAD points to the commit after checkout #​10310.

Platinum Sponsors

Gold Sponsors

v10.26.0: pnpm 10.26

Compare Source

Minor Changes

• Semi-breaking. Block git-hosted dependencies from running prepare scripts unless explicitly allowed in onlyBuiltDependencies #​10288.

• Semi-breaking. Compute integrity hash for HTTP tarball dependencies when fetching, storing it in the lockfile to prevent servers from serving altered content on subsequent installs #​10287.

• Added a new setting blockExoticSubdeps that prevents the resolution of exotic protocols in transitive dependencies.

  When set to true, direct dependencies (those listed in your root package.json) may still use exotic sources, but all transitive dependencies must be resolved from a trusted source. Trusted sources include the configured registry, local file paths, workspace links, trusted GitHub repositories (node, bun, deno), and custom resolvers.

  This helps to secure the dependency supply chain. Packages from trusted sources are considered safer, as they are typically subject to more reliable verification and scanning for malware and vulnerabilities.

  Exotic sources are dependency locations that bypass the usual trusted resolution process. These protocols are specifically targeted and blocked: Git repositories (git+ssh://...) and direct URL links to tarballs (https://.../package.tgz).

  Related PR: #​10265.

• Added support for allowBuilds, which is a new field that can be used instead of onlyBuiltDependencies and ignoredBuiltDependencies. The new allowBuilds field in your pnpm-workspace.yaml uses a map of package matchers to explicitly allow (true) or disallow (false) script execution. This allows for a single, easy-to-manage source of truth for your build permissions.

  Example Usage. To explicitly allow all versions of esbuild to run scripts and prevent core-js from running them:

  allowBuilds:
    esbuild: true
    core-js: false

  The example above achieves the same result as the previous configuration:

  onlyBuiltDependencies:
    - esbuild
  ignoredBuiltDependencies:
    - core-js

  Related PR: #​10311

• Added support for --dry-run to the pack command #​10301.

Patch Changes

• Show deprecation in table/list formats when latest version is deprecated #​8658.
• Remove the injectWorkspacePackages setting from the lockfile on the deploy command #​10294.
• Normalize the tarball URLs before saving them to the lockfile. URLs should not contain default ports, like :80 for http and :443 for https #​10273.
• When a dependency is installed via a direct URL that redirects to another URL and is immutable, the original URL is normalized and saved to package.json #​10197.

Platinum Sponsors

Gold Sponsors

v10.25.0: pnpm 10.25

Compare Source

Minor Changes

• Allow loading certificates from cert, ca, and key for specific registry URLs. E.g., //registry.example.com/:ca=-----BEGIN CERTIFICATE-----.... Previously this was only working via certfile, cafile, and keyfile.

  These properties are supported in .npmrc, but were ignored by pnpm, this will make pnpm read and use them as well.

  Related PR: #​10230.

• Added a new flag called --bare to pnpm init for creating a package.json with the bare minimum of required fields #​10226.

Patch Changes

• Improved reporting of ignored dependency scripts #​10276.
• pnpm install should build any dependencies that were added to onlyBuiltDependencies and were not built yet #​10256.
• pnpm publish -r --force should allow to run publish over already existing versions in the registry #​10272.
• Don't fail with a ERR_PNPM_MISSING_TIME error if a package that is excluded from trust policy checks is missing the time field in the metadata.

Platinum Sponsors

Gold Sponsors

v10.24.0: pnpm 10.24

Compare Source

Minor Changes

• Increased network concurrency on machines with many CPU cores. pnpm now automatically selects a network concurrency between 16 and 64, based on the number of pnpm workers (calculated as workers × 3). This improves performance on high-core systems #​10068.

Patch Changes

• trustPolicy should ignore the trust evidences of prerelease versions, when installing a non-prerelease version.
• Handle ENOENT errors thrown by fs.linkSync(), which can occur in containerized environments (OverlayFS) instead of EXDEV. The operation now gracefully falls back to fs.copyFileSync() in these cases #​10217.
• Reverted: pnpm self-update should download pnpm from the configured npm registry #​10205.
• Packages that don't have a package.json file (like Node.js) should not be reimported from the store on every install. Another file from the package should be checked in order to verify its presence in node_modules.
• Correctly read auth tokens for URLs that contain underscores #​17.

Platinum Sponsors

Gold Sponsors

v10.23.0: pnpm 10.23

Compare Source

Minor Changes

• Added --lockfile-only option to pnpm list #​10020.

Patch Changes

• pnpm self-update should download pnpm from the configured npm registry #​10205.
• pnpm self-update should always install the non-executable pnpm package (pnpm in the registry) and never the @pnpm/exe package, when installing v11 or newer. We currently cannot ship @pnpm/exe as pkg doesn't work with ESM #​10190.
• Node.js runtime is not added to "dependencies" on pnpm add, if there's a engines.runtime setting declared in package.json #​10209.
• The installation should fail if an optional dependency cannot be installed due to a trust policy check failure #​10208.
• pnpm list and pnpm why now display npm: protocol for aliased packages (e.g., foo npm:is-odd@3.0.1) #​8660.
• Don't add an extra slash to the Node.js mirror URL #​10204.
• pnpm store prune should not fail if the store contains Node.js packages #​10131.

Platinum Sponsors

Gold Sponsors

---

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[matticbot]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: undefined

Command failed: /tmp/monorepo/.github/files/renovate-post-upgrade-run.sh renovate/npm-pnpm-vulnerability
warning: unable to access '/home/ubuntu/.config/git/attributes': Permission denied
warning: unable to access '/home/ubuntu/.config/git/ignore': Permission denied
 WARN  Issue while reading "/home/ubuntu/.npmrc". EACCES: permission denied, open '/home/ubuntu/.npmrc'
 WARN  Issue while reading "/home/ubuntu/.config/pnpm/rc". EACCES: permission denied, open '/home/ubuntu/.config/pnpm/rc'
 WARN  Issue while reading "/home/ubuntu/.npmrc". EACCES: permission denied, open '/home/ubuntu/.npmrc'
 WARN  Issue while reading "/home/ubuntu/.config/pnpm/rc". EACCES: permission denied, open '/home/ubuntu/.config/pnpm/rc'
 WARN  Issue while reading "/home/ubuntu/.npmrc". EACCES: permission denied, open '/home/ubuntu/.npmrc'
 WARN  Issue while reading "/home/ubuntu/.config/pnpm/rc". EACCES: permission denied, open '/home/ubuntu/.config/pnpm/rc'
warning: unable to access '/home/ubuntu/.config/git/ignore': Permission denied

[manzoorwanijk]

@anomiex pnpm seems to use this format/structure. Should we stick to that to make it easier to review such changes in future?

[anomiex]

I'd rather keep comments in this file. It's annoying pnpm operations want to strip them.

Probably I'll wind up writing something to see what change Renovate tried to do and reapply it more sensibly.

[anomiex]

Oh, never mind, this is only changed here because pnpm aborted.

 ERR_PNPM_UNSUPPORTED_ENGINE  Unsupported environment (bad pnpm and/or Node.js version)

Your pnpm version is incompatible with "/tmp/renovate/repos/github/Automattic/jetpack".

Expected version: ^10.27.0
Got: 10.22.0

renovatebot/renovate#39168 is still open.

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WoA dev site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin (Jetpack or WordPress.com Site Helper), and enable the renovate/npm-pnpm-vulnerability branch.
• To test on Simple, run the following command on your sandbox:

bin/jetpack-downloader test jetpack renovate/npm-pnpm-vulnerability

bin/jetpack-downloader test jetpack-mu-wpcom-plugin renovate/npm-pnpm-vulnerability

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[jp-launch-control]

Code Coverage Summary

This PR did not change code coverage!

That could be good or bad, depending on the situation. Everything covered before, and still is? Great! Nothing was covered before? Not so great. 🤷

Full summary · PHP report · JS report